Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: November 2012

Monthly Archives: November 2012

The Three Step Approach to Vulnerability Management

I spend the majority of my time researching and talking about current threats and vulnerabilities and their subsequent countermeasures.  There are many essential components of an  IT policy for these and most people have a good handle on two of the three most important components.

First and foremost, an effective patch management process needs to be implemented in every organization.  As  non-Microsoft products are increasingly created and used by organizations, patching is not simply a Microsoft issue anymore.  Patching is widely considered a pro-active approach to vulnerability management.  An effective patch management process will effectively plug holes in vulnerabilities before they are exploited.  Most companies have had an effective process around operating system patching (Microsoft Windows, Mac OS, Unix/Linux) and now are starting to focus on application patching that may not be a part of the major software vendors commonly used today.

Second, an effective Antivirus strategy is critical in this defense.  An Antivirus defense can be considered a reactive approach to security and vulnerability management.  Fixing software vulnerabilities will ensure a potential virus cannot attack the insecure software.  But, Antivirus is still a critical component even in an organization that has all systems up to date with patches.  During the year, we see many Zero-day vulnerabilities that are announced and attacked.  A Zero-day vulnerability is a vulnerability that does not currently have a patch to fix the issue.  This can create a headache for organizations as they patiently wait for a vendor to fix the issue.  An effective Antivirus solution will ensure that viruses are discovered and removed before anything malicious can happen to these vulnerable systems.

As you can see, patch management and Antivirus are both effective and critical processes.  In addition, there is a third option that is quite often left out.

This last option I quite often reference to organizations that are grappling a good security policy.  1.  Have a good patch management policy and process.  2.  Ensure all of your assets are covered by some type of anti-virus product.  And 3- Diminish your attack surface.

An attack surface in regards to vulnerabilities is the amount of software programs that are installed on your machine.  If a program is not used, remove the unneeded and unused software from the machine.  This will reduce the number of software programs that must be managed and monitored for potential vulnerabilities.

We all know of machines on our networks that are like a bad episode of Hoarders.  These machines had software programs that were installed to be used in one instance, and the software was left on the machine.  It is important to note that all software has the potential to contain known and unknown vulnerabilities.  Reducing the number of software programs running on a machine will mitigate the potential for attack.   However, one of the challenges of this third type of policy is identifying software on machines.  The benefit of adding in a strategy for managing software on your network is the reduction of the amount of time needed for patch management and virus removal. VMware offers several vulnerability management solutions that allow administrators to identify installed software on many machines on a network, including:

VMware vCenter Protect  Advanced (for organizations of all sizes)
– IncludesPatch Management, Software Asset Inventory, Antivirus protection, ITScripts and Power Management

VMware Go (for the small-to-medium size business)
– Includes Patch Management and Software Asset Inventory

VMware vCenter Configuration Manager (for enterprise organizations)
– Includes Patch Management and Software Asset Inventory

In the image below, I have provided an example of software assent inventory in VMware vCenter Protect and VMware Go.

(VMware vCenter Protect)

(VMware Go)

VMware Security Note

Today, Nov. 4, 2012, our security team became aware of the public posting of VMware ESX source code dating back to 2004. This source code is related to the source code posted publicly on April 23, 2012. (For reference: April 24, 2012 and May 3, 2012). It is possible that more related files will be posted in the future. We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.

Ensuring customer security is our top priority. As a matter of best practices with respect to security, VMware strongly encourages all customers to apply the latest product updates and security patches made available for their specific environment. We also recommend customers review our security hardening guides. By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected.

As is our practice, VMware will continue to assess any further security risks, and will provide recommendations and updates here as appropriate.

Note:  We encourage customers to view the May 3, 2012 security patch information as a resource: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html